Hello,
conflux appears to be the primary source of bugs and crashes for us in the past few months and there have been numerous issues related to it on gitlab.
from the tor manual page:
ConfluxEnabled 0|1|auto If this option is set to 1, general purpose traffic will use Conflux which is traffic splitting among multiple legs (circuits). Onion services are not supported at the moment. Default value is set to "auto" meaning the consensus is used to decide unless set. (Default: auto)
will ConfluxEnabled 0 disable it for tor acting as a client only or for relays as well?
thanks! applied-privacy.net
Hi,
the recipe on the torproject page the way it is displayed does not allow for the firewall to be properly set. This results operators new to FEDORA installing Bridges WITHOUT any firewall.
This is both because firewalld does not come in with most fedora VPS and because firewalld remains inactive when not started even when enabled.
please add the line
sudo dnf install firewalld sudo systemctl enable firewalld systemctl start firewalld; firewall-cmd --add-port TODO1/tcp --permanent firewall-cmd --add-port TODO2/tcp --permanent systemctl status firewalld; firewall-cmd --reload
at the location where firewall-cmd is stated in the existing torproject recipe webpage for fedora!
That'd be some progress:).
FOR CLARITY, here is a scripts that is concise and replicating a functional version of the torproject intent on fedora BRIDGES, for your review and open to positive criticism.
dns update dnf install dnf-automatic systemctl enable --now dnf-automatic-install.timer
rm /etc/yum.repos.d/Tor.repo echo "[tor]" > /etc/yum.repos.d/Tor.repo echo "name=Tor for Fedora $releasever - $basearch" >> /etc/yum.repos.d/Tor.repo echo "baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch"
/etc/yum.repos.d/Tor.repo
echo "enabled=1" >> /etc/yum.repos.d/Tor.repo echo "gpgcheck=1" >> /etc/yum.repos.d/Tor.repo echo "gpgkey=https://rpm.torproject.org/fedora/public_gpg.key" >> /etc/yum.repos.d/Tor.repo echo "cost=100" >> /etc/yum.repos.d/Tor.repo
dnf install tor dnf install obfs4
rm /etc/tor/torrc echo "RunAsDaemon 1" > /etc/tor/torrc echo "BridgeRelay 1" >> /etc/tor/torrc echo "ORPort TODO1" >> /etc/tor/torrc echo "ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy" >> /etc/tor/torrc echo "ServerTransportListenAddr obfs4 yourIPaddress:TODO2" >> /etc/tor/torrc echo "ExtORPort auto" >> /etc/tor/torrc echo "AccountingMax 10 TBytes" >> /etc/tor/torrc echo "AccountingStart day 00:00" >> /etc/tor/torrc echo "RelayBandwidthBurst 200 MBytes" >> /etc/tor/torrc echo "RelayBandwidthRate 200 MBytes" >> /etc/tor/torrc echo "ContactInfo your-email@example.com" >> /etc/tor/torrc echo "Nickname TODO3" >> /etc/tor/torrc
getenforce setenforce 0 echo "SELINUX=permissive" > /etc/selinux/config echo "SELINUXTYPE=targeted" >> /etc/selinux/config
sudo dnf install firewalld sudo systemctl enable firewalld systemctl start firewalld; firewall-cmd --add-port TODO1/tcp --permanent firewall-cmd --add-port TODO2/tcp --permanent systemctl status firewalld; firewall-cmd --reload systemctl enable --now tor
echo "please be prepared to copy-paste the entire (incomplete) bridge-line"
nano /var/db/tor/pt_state/obfs4_bridgeline.txt
echo "please be prepared to copy-paste the ----server's identity key fingerprint------ down for the next step."
echo "the structure to communicate about your bridge will be: " echo "Bridge obfs4 <yourIPaddress>:TODO2 TODO3 <paste server's identity key fingerprint copied from the next step-to-come> <paste bridge line already copied the previous step>"
wait 5s
journalctl -e -u tor
Carlos.
updates every second week.
Hi,
the recipe on the torproject page the way it is displayed does not allow for the firewall to be properly set. This results operators new to FEDORA installing Bridges WITHOUT any firewall.
This is both because firewalld does not come in natively with most fedora VPS and because
***** firewalld remains inactive when not started even when enabled.
please add the line
sudo dnf install firewalld sudo systemctl enable firewalld systemctl start firewalld; firewall-cmd --add-port TODO1/tcp --permanent firewall-cmd --add-port TODO2/tcp --permanent systemctl status firewalld; firewall-cmd --reload
at the location where firewall-cmd is stated in the existing torproject recipe webpage for fedora!
Please kindly confirm / infirm the website update.
Carlos.
Hi,
On 4/5/24 23:47, applied-privacy.net via tor-relays wrote:
Hello,
conflux appears to be the primary source of bugs and crashes for us in the past few months and there have been numerous issues related to it on gitlab.
Conflux was a big change for the network and there are still some bugs that we are trying to solve. At the same time it has made things significantly better for users and it wouldn't be ideal if you disable it on all your relays. We would rather work with you to help you run your relays smoothly.
When you mention crashes are you referring to issue: https://gitlab.torproject.org/tpo/core/tor/-/issues/40921? Has this been happening again since?
Let me know.
Cheers, -hiro
from the tor manual page:
ConfluxEnabled 0|1|auto If this option is set to 1, general purpose traffic will use Conflux which is traffic splitting among multiple legs (circuits). Onion services are not supported at the moment. Default value is set to "auto" meaning the consensus is used to decide unless set. (Default: auto)
will ConfluxEnabled 0 disable it for tor acting as a client only or for relays as well?
thanks! applied-privacy.net
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
will ConfluxEnabled 0 disable it for tor acting as a client only or for relays as well?
Yes, it affects relays as well, not just clients.
Due to the high frequency of bug events related to conflux, especially: https://gitlab.torproject.org/tpo/core/tor/-/issues/40908
the tor_bug_reached metric basically becomes meaningless because it is "normal" to see that counter increase all the time. To work around that issue we filed the following issue which would make it possible to run exits with conflux enabled without rendering the tor_bug_reached metric meaningless:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40930
FYI from the tor log file:
This tor is a relay and ConfluxEnabled is set to 0. We would ask you to please write to us on tor-relay@lists.torproject.org or file a bug explaining why you have disabled this option. Without news from you, we might end up marking your relay as a BadExit.
Hi,
On 4/14/24 16:17, applied-privacy.net via tor-relays wrote:
will ConfluxEnabled 0 disable it for tor acting as a client only or for relays as well?
Yes, it affects relays as well, not just clients.
Due to the high frequency of bug events related to conflux, especially: https://gitlab.torproject.org/tpo/core/tor/-/issues/40908
the tor_bug_reached metric basically becomes meaningless because it is "normal" to see that counter increase all the time. To work around that issue we filed the following issue which would make it possible to run exits with conflux enabled without rendering the tor_bug_reached metric meaningless:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40930
FYI from the tor log file:
This tor is a relay and ConfluxEnabled is set to 0. We would ask you to please write to us on tor-relay@lists.torproject.org or file a bug explaining why you have disabled this option. Without news from you, we might end up marking your relay as a BadExit.
Thanks for reporting this. I have opened https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/815 to fix it.
I was wondering if you had disabled conflux for any of your relays, and if this was the case what we could do to help you and have you re-enable it again.
Talk soon,
-hiro
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
applied-privacy.net -
Carlos -
Hiro -
tor_appliedprivacy.net